Re: ldap_sasl_interactive_bind_s: Local error ???

[Tony Earnshaw <tonni@billy.demon.nl>]

ons, 2002-11-20 kl. 13:43 skrev Bill Dossett:

> > 2: *Raw* Openldap SSL/TLS (TLS is different from SSL) does not use SASL,
> > which seems to be throwing you out (although SSL is refererred to as
> > SASL EXTERNAL). Not that SSL is not a valid SASL extra, it's just that
> > Openssl SASL is not necessary for Openldap SSL/TLS.

> I'm a little confused by the statement "TLS is different from SSL".
>  From my understanding, StartTLS, is different, but TLS and SSL
> are two names for the same thing...  I could certainly be wrong,
> and I guess this is for the OpenSSL list, but seeing as almost
> everyone seems to be using some form of SSL, I think it is sort
> of pertinent to this list as well.

Both use SSL encryption, with the same certificate exchange protocol.

However, Openldap SSL (and Exim, Sendmail, pop3d etc. etc) can use SSL
for encryption without premise. They would do so for something like smtp
AUTH PLAIN/etc or ldaps auth. In this case, whatever the ports used,
encryption is used for all communication from the word "go." ldaps uses
port 636, pop3s 995, https 443 etc (look inside /etc/services).

TLS can use existing service ports, such as ldap on 389 and smtp on port
25. In this case, the client has to give a "starttls" command to enable
encryption, but the same encryption protocol and certs can be used for
both.

Hope this helps,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl